[fdamstra]

I have a strange problem, and while I can't guarantee that it's the checkpoint that's dropping the traffic, it looks like it is, so I'll start here.

The scenario: Users with IP addresses that end in '.255' are unable to access web servers of ours on a particular VLAN.

Here's the architecture:
2 NGX R65 HFA2 Enforcement Nodes in an active-active ClusterXL configuration are connected to a single Cisco 2924XL switch. The switch is in turn connected to a pair of F5 BigIP load balancers in an active-standby configuration. The web servers sit behind these F5's.

The connections from the switch to the firewall and to the F5's are 802.1q trunks. There are two VLAN's going across these trunks: VLAN 80 and VLAN 443.

Users with IP addresses ending in 255 are able to access the web sites on VLAN 80 without issue. However, they are completely unable to access sites on VLAN 443.

Using port mirroring on the switch, I see the SYN from the user to the web server, and then SYN-ACK response sent out the port to the firewall. However, running 'tcpdump' or 'fw mon' on the firewalls, I see only the SYN. (I never see the SYN-ACK response).

So, I'm led to believe that either:
A) The switch isn't properly sending out the frame, or
B) The firewall is dropping the frame.

Because it's only affecting users with IP addresses ending in .255, I tend to think it's not the switch, since it's only a L2 switch and should not be paying any attention to the IP address.

Any thoughts?